Monday, January 08, 2007

3 Wishes for Web Browser Security

Web browser security is broken. Completely shattered.

Take the Top 10 Web Hacks of 2006 and the 60 more that follow to see what I mean. XSS, CSRF, and other attacks make it so bad we can’t be certain we’re the ones driving our browsers. Short of completely reinventing HTTP/HTML/JavaScript/Cookies and other fundamental Web technologies (not going to happen) there are a few things we can do. People will get infected with JavaScript Malware, but there’s no reason why we can’t limit the damage without impacting the user experience.

Here are 3 web browser security enhancements I’d like to see. The sooner the better.

1) Restrict websites with public IP’s from including content from websites with non-routable IP address (RFC 1918)

This restriction is designed to protect against Hacking Intranet Websites from the Outside (Port Scanning, Fingerprinting, etc.). If JavaScript Malware can’t force a browser to make non-routable IP requests, then there’s not much left it can do whether or not if it has your private IP. I can’t think of any good reason that a website with a public IP would legitimately need to include data from a private IP.

The name says it all. There are excellent extensions and provide a good amount of security that all users can benefit by. Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell fromStanford and the guys from Netcraft did a great job. I don’t know what Mozilla’s policy is on this kind of thing, but this is one they should definitely consider building in by default. Another feature I’d like to see is restriction of any non-alphanumeric character in the fragment portion of the URL. Designed to stop DOM-based XSS and UXSS.

3) Same-origin policy applied to the JavaScript Error ConsoleJavaScript errors from code located on DomainA should not be readable from DomainB. This enhancement is design to protect again the Login/History Detection Hack. So when SCRIPT SRCing in a page from another domain (Gmail, Yahoo Mail, MSN, etc.), hoping to get a signature match, you’d be out of luck because you can’t see the error message. This might hinder debugging in some cases, but not much I don’t think.

Browser do too much. They're like a little OS inside the OS now, and they're being beaten up badly. Basically being kicked in the head while they're already curled up in the fetal position on the ground out cold. I'd love to see browsers take about 10 steps back and move away from "do all be all every function you can imagine" tools.

Sadly, that may never happen, but I like your list in this post. These are very doable things for every browser vendor with these issues.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!